Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission


Presented at USENIX Security'22


Email addresses—or identifiers derived from them—are known to be used by data brokers and advertisers for cross-site, cross-platform, and persistent identification of potentially unsuspecting individuals. In order to find out whether access to online forms are misused by online trackers, we present a measurement of email and password collection that occur before form submission on the top 100K websites.

Paper » Source code » Browser add-on »